[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: AH (without ESP) on a secure gateway
Hilarie,
I think the conflict for "transport" use of AH is fatal. Consider
the following example:
- firewalls A and B use AH for protection between them
- all traffic from A is AH protected using a single SA
- host A.1 (behind firewall A) establishes an SA to B.1 (behind
firewall B) and this SA is also an AH SA
- host B.1 chooses the same SPI for the traffic from A.1 to B.1 that
firewall B chose for traffic from A to B
If A applies a second AH, it would look the same as the original AH used by
A.1 and thus there would be an ambiguity, right? I think that trying to
fix this through the establishment of conventions for order of
interpretation is not a
good idea. There may be other problems from trying to do nesting of
non-tunnel mode AH, that have not occurred to me yet.
Steve
Follow-Ups:
References: